summaryrefslogtreecommitdiffstats
path: root/usr/local/www/widgets/widgets/rss.widget.php
diff options
context:
space:
mode:
authorRenato Botelho <garga@FreeBSD.org>2014-06-17 14:53:50 -0300
committerRenato Botelho <garga@FreeBSD.org>2014-06-17 14:53:58 -0300
commite4921058c6c5e2cb99b997fcf2594e9a7e10a11e (patch)
tree3d5095b371362d4cb52c3ca5f05438ce97441ba5 /usr/local/www/widgets/widgets/rss.widget.php
parent526f5b114a2f93c4dbe95127eb574a1d1eca1df8 (diff)
downloadpfsense-e4921058c6c5e2cb99b997fcf2594e9a7e10a11e.zip
pfsense-e4921058c6c5e2cb99b997fcf2594e9a7e10a11e.tar.gz
Protect rssfeed parameters with htmlspecialchars()
Diffstat (limited to 'usr/local/www/widgets/widgets/rss.widget.php')
-rw-r--r--usr/local/www/widgets/widgets/rss.widget.php12
1 files changed, 6 insertions, 6 deletions
diff --git a/usr/local/www/widgets/widgets/rss.widget.php b/usr/local/www/widgets/widgets/rss.widget.php
index 03cb01e..eecda05 100644
--- a/usr/local/www/widgets/widgets/rss.widget.php
+++ b/usr/local/www/widgets/widgets/rss.widget.php
@@ -33,10 +33,10 @@ require_once("pfsense-utils.inc");
require_once("functions.inc");
if($_POST['rssfeed']) {
- $config['widgets']['rssfeed'] = str_replace("\n", ",", $_POST['rssfeed']);
- $config['widgets']['rssmaxitems'] = str_replace("\n", ",", $_POST['rssmaxitems']);
- $config['widgets']['rsswidgetheight'] = $_POST['rsswidgetheight'];
- $config['widgets']['rsswidgettextlength'] = $_POST['rsswidgettextlength'];
+ $config['widgets']['rssfeed'] = str_replace("\n", ",", htmlspecialchars($_POST['rssfeed'], ENT_QUOTES | ENT_HTML401));
+ $config['widgets']['rssmaxitems'] = str_replace("\n", ",", htmlspecialchars($_POST['rssmaxitems'], ENT_QUOTES | ENT_HTML401));
+ $config['widgets']['rsswidgetheight'] = htmlspecialchars($_POST['rsswidgetheight'], ENT_QUOTES | ENT_HTML401);
+ $config['widgets']['rsswidgettextlength'] = htmlspecialchars($_POST['rsswidgettextlength'], ENT_QUOTES | ENT_HTML401);
write_config("Saved RSS Widget feed via Dashboard");
header("Location: /");
}
@@ -48,10 +48,10 @@ if($config['widgets']['rssfeed'])
if($config['widgets']['rssmaxitems'])
$max_items = $config['widgets']['rssmaxitems'];
-if($config['widgets']['rsswidgetheight'])
+if(is_numeric($config['widgets']['rsswidgetheight']))
$rsswidgetheight = $config['widgets']['rsswidgetheight'];
-if($config['widgets']['rsswidgettextlength'])
+if(is_numeric($config['widgets']['rsswidgettextlength']))
$rsswidgettextlength = $config['widgets']['rsswidgettextlength'];
// Set a default feed if none exists
OpenPOWER on IntegriCloud